Forms Authentication and Differences Between Windows Explorer and IE

Discussion in 'ASP .Net Security' started by Kevin Watkins, Apr 5, 2004.

  1. Hi,

    Hoping someone can help me. I have noticed different behaviour between
    a website launched from Windows explorer and Internet Explorer. I have
    set up a simple test application to demonstrate this problem:

    1. Create a new ASP.NET application in VS.NET at
    http://localhost/test.
    2. Added a default form, Default.aspx, that has a simple button that
    does the FormsAuthentication stuff:

    <%@ Page language="c#" Codebehind="Default.aspx.cs"
    AutoEventWireup="false" Inherits="LoginTest._Default" %>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
    <HTML>
    <HEAD>
    <title>Default</title>
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    <asp:Button id="Button1" runat="server" Text="Set
    Session"></asp:Button>
    <br/>
    <br/>
    <asp:Label id="Label1" Runat="server"></asp:Label>
    </form>
    </body>
    </HTML>

    public class _Default : System.Web.UI.Page
    {
    protected System.Web.UI.WebControls.Label Label1;
    protected System.Web.UI.WebControls.Button Button1;

    #region Web Form Designer generated code
    override protected void OnInit(EventArgs e)
    {
    InitializeComponent();
    base.OnInit(e);
    }

    private void InitializeComponent()
    {
    this.Button1.Click += new System.EventHandler(this.Button1_Click);
    }
    #endregion
    private void Button1_Click(object sender, System.EventArgs e)
    {
    FormsAuthentication.RedirectFromLoginPage("user", false);
    }
    }

    2. Added a second form that does nothing:

    <%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
    AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
    <HTML>
    <HEAD>
    <title>NeedsAuth</title>
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    Hello!
    </form>
    </body>
    </HTML>

    public class NeedsAuth : System.Web.UI.Page
    {
    protected System.Web.UI.WebControls.Label LoginLabel;

    private void Page_Load(object sender, System.EventArgs e)
    {
    }
    #region Web Form Designer generated code
    override protected void OnInit(EventArgs e)
    {
    InitializeComponent();
    base.OnInit(e);
    }
    private void InitializeComponent()
    {
    this.Load += new System.EventHandler(this.Page_Load);
    }
    #endregion
    }

    3. Changed my web.config file to the following:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.web>
    <compilation defaultLanguage="c#" debug="true"/>
    <customErrors mode="RemoteOnly"/>
    <authentication mode="Forms">
    <forms name="TestAuth" loginUrl="Default.aspx" protection="All"
    timeout="30" slidingExpiration="true"/>
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    <trace enabled="false" requestLimit="10" pageOutput="false"
    traceMode="SortByTime" localOnly="true"/>
    <sessionState mode="InProc" cookieless="false" timeout="40"/>
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    </system.web>
    </configuration>

    Now, if I load up IE by clicking on the IE icon in my desktop, then
    type in http://localhost/test/NeedsAuth.aspx, it redirects me to
    Default.aspx. I click on the button and it redirects me back to
    NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
    again by clicking on the IE icon and go to
    http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
    and I have to login again as expected.

    Everything fine so far. However, if I try this via Windows explorer I
    get different behaviour. If I double click on 'My Computer' and enter
    http://localhost/test/NeedsAuth.aspx into the address bar, it
    redirects me to Default.aspx. I click on the button and it redirects
    me back to NeedsAuth.aspx as it should. Now if I close the window,
    then double click on 'My Computer' and enter
    http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
    Default.aspx and I am fully logged in.

    Similar tests with Page.Session and no authentication indicate that it
    also has the same behaviour.

    I presume this is to do with the way Windows explorer runs IE. Get get
    an IExplore process in task manager if I load IE via its icon, but I
    do not if I enter the URL into My Computer.

    This is obviously giving me a major security hole; a user could load
    up my application, forget to log out properly, (Or have their browser
    crash) then another user could come along and enter the URL and be
    fully logged in.

    I've tried lots of things to get around this, but cannot solve the
    problem. Currently I'm considering using a <body unload=> JavaScript
    method to post somewhere that does the FormsAuthentication.SignOut(),
    but obviously this isn't great and wouldn't be any use if the browser
    crash. I've tried searching in these forums and in various newsgroups
    without any luck.

    Hopefully its me being a muppet and I've missed something stupid. If
    anyone can help I'd be really grateful!

    Cheers,

    Kev
     
    Kevin Watkins, Apr 5, 2004
    #1
    1. Advertising

  2. Kevin Watkins

    Ken Schaefer Guest

    See reply to the post that you posted in the www.asp.net forums

    HTH

    Cheers
    Ken

    "Kevin Watkins" <> wrote in message
    news:...
    : Hi,
    :
    : Hoping someone can help me. I have noticed different behaviour between
    : a website launched from Windows explorer and Internet Explorer. I have
    : set up a simple test application to demonstrate this problem:
    :
    : 1. Create a new ASP.NET application in VS.NET at
    : http://localhost/test.
    : 2. Added a default form, Default.aspx, that has a simple button that
    : does the FormsAuthentication stuff:
    :
    : <%@ Page language="c#" Codebehind="Default.aspx.cs"
    : AutoEventWireup="false" Inherits="LoginTest._Default" %>
    : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
    : <HTML>
    : <HEAD>
    : <title>Default</title>
    : </HEAD>
    : <body>
    : <form id="Form1" method="post" runat="server">
    : <asp:Button id="Button1" runat="server" Text="Set
    : Session"></asp:Button>
    : <br/>
    : <br/>
    : <asp:Label id="Label1" Runat="server"></asp:Label>
    : </form>
    : </body>
    : </HTML>
    :
    : public class _Default : System.Web.UI.Page
    : {
    : protected System.Web.UI.WebControls.Label Label1;
    : protected System.Web.UI.WebControls.Button Button1;
    :
    : #region Web Form Designer generated code
    : override protected void OnInit(EventArgs e)
    : {
    : InitializeComponent();
    : base.OnInit(e);
    : }
    :
    : private void InitializeComponent()
    : {
    : this.Button1.Click += new System.EventHandler(this.Button1_Click);
    : }
    : #endregion
    : private void Button1_Click(object sender, System.EventArgs e)
    : {
    : FormsAuthentication.RedirectFromLoginPage("user", false);
    : }
    : }
    :
    : 2. Added a second form that does nothing:
    :
    : <%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
    : AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
    : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
    : <HTML>
    : <HEAD>
    : <title>NeedsAuth</title>
    : </HEAD>
    : <body>
    : <form id="Form1" method="post" runat="server">
    : Hello!
    : </form>
    : </body>
    : </HTML>
    :
    : public class NeedsAuth : System.Web.UI.Page
    : {
    : protected System.Web.UI.WebControls.Label LoginLabel;
    :
    : private void Page_Load(object sender, System.EventArgs e)
    : {
    : }
    : #region Web Form Designer generated code
    : override protected void OnInit(EventArgs e)
    : {
    : InitializeComponent();
    : base.OnInit(e);
    : }
    : private void InitializeComponent()
    : {
    : this.Load += new System.EventHandler(this.Page_Load);
    : }
    : #endregion
    : }
    :
    : 3. Changed my web.config file to the following:
    :
    : <?xml version="1.0" encoding="utf-8" ?>
    : <configuration>
    : <system.web>
    : <compilation defaultLanguage="c#" debug="true"/>
    : <customErrors mode="RemoteOnly"/>
    : <authentication mode="Forms">
    : <forms name="TestAuth" loginUrl="Default.aspx" protection="All"
    : timeout="30" slidingExpiration="true"/>
    : </authentication>
    : <authorization>
    : <deny users="?"/>
    : </authorization>
    : <trace enabled="false" requestLimit="10" pageOutput="false"
    : traceMode="SortByTime" localOnly="true"/>
    : <sessionState mode="InProc" cookieless="false" timeout="40"/>
    : <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    : </system.web>
    : </configuration>
    :
    : Now, if I load up IE by clicking on the IE icon in my desktop, then
    : type in http://localhost/test/NeedsAuth.aspx, it redirects me to
    : Default.aspx. I click on the button and it redirects me back to
    : NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
    : again by clicking on the IE icon and go to
    : http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
    : and I have to login again as expected.
    :
    : Everything fine so far. However, if I try this via Windows explorer I
    : get different behaviour. If I double click on 'My Computer' and enter
    : http://localhost/test/NeedsAuth.aspx into the address bar, it
    : redirects me to Default.aspx. I click on the button and it redirects
    : me back to NeedsAuth.aspx as it should. Now if I close the window,
    : then double click on 'My Computer' and enter
    : http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
    : Default.aspx and I am fully logged in.
    :
    : Similar tests with Page.Session and no authentication indicate that it
    : also has the same behaviour.
    :
    : I presume this is to do with the way Windows explorer runs IE. Get get
    : an IExplore process in task manager if I load IE via its icon, but I
    : do not if I enter the URL into My Computer.
    :
    : This is obviously giving me a major security hole; a user could load
    : up my application, forget to log out properly, (Or have their browser
    : crash) then another user could come along and enter the URL and be
    : fully logged in.
    :
    : I've tried lots of things to get around this, but cannot solve the
    : problem. Currently I'm considering using a <body unload=> JavaScript
    : method to post somewhere that does the FormsAuthentication.SignOut(),
    : but obviously this isn't great and wouldn't be any use if the browser
    : crash. I've tried searching in these forums and in various newsgroups
    : without any luck.
    :
    : Hopefully its me being a muppet and I've missed something stupid. If
    : anyone can help I'd be really grateful!
    :
    : Cheers,
    :
    : Kev
     
    Ken Schaefer, Apr 6, 2004
    #2
    1. Advertising

  3. I have done further testing on this. I believe the problem is because
    session cookies are stored in memory. If you launch an IE instance
    then the cookies are stored in that iexplore.exe process, so are lost
    when it finishes. However if you browse the internet via explorer then
    the cookies are stored in the explorer.exe process, which obviously
    doesn't end so the session cookies don't die and the
    session/authentication carries on when you load up the site again.

    I have tested this on Win 2000 with IE 5.5 and IE 6, and on Win XP
    running IE 6. The problem only seems to occur with IE 6.

    Kev
     
    Kevin Watkins, Apr 8, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,542
    Tommy
    Feb 13, 2004
  2. Lars Andersen
    Replies:
    0
    Views:
    463
    Lars Andersen
    Feb 1, 2004
  3. Home_Job_opportunity
    Replies:
    0
    Views:
    515
    Home_Job_opportunity
    Jan 8, 2009
  4. Kevin Watkins
    Replies:
    3
    Views:
    172
    Jim Cheshire [MSFT]
    Apr 19, 2004
  5. Eric
    Replies:
    2
    Views:
    605
Loading...

Share This Page